June 24, 2007
June 24, 2007
June 27, 2007
12.1542.1 - 12.1542.12
Using Data Mining to Detect Intrusions in Computer Networks
In recent years Data mining techniques have been applied in many different fields including marketing, manufacturing, process control, fraud detection and network management. Over the past several years a growing number of research projects have applied data mining to various problems in intrusion detection. The goal of this research is to design and implement an anomaly detector using data mining. The project includes the use of open source tools and/or modifications to existing tools to incorporate the goals of collection, filtering, storage, archival, and attack detection in a cohesive software system. This paper also surveys a representative cross section of these research efforts. Conclusions are drawn and directions for future research are suggested.
Intrusion detection is the process of monitoring and analyzing the events occurring in a computer system in order to detect signs of security problems3. The importance of Intrusion Detection Systems (IDS) has grown tremendously recently because of our dependence on electronic forms of data. Sensitive information, which has to be kept secure, is kept in an electronic form on computers. Military and the Government have been the most vocal of the IDS users, but more and more private organizations are realizing the importance of such a system.
Current IDS are tuned to detect known attacks. Enough data exists or could be collected to allow network administrators to detect policy violations. Unfortunately, the data is so voluminous, and the analysis process so time consuming, that the administrators have problems analyzing the data. Data Mining adds additional depth to the administrator’s defenses, and allows them to more accurately determine what the threats against their network are. Hence, activity that it is not detected in near real-time in an online NID, can now be identified. Some examples of attacks that mining could detect, that online NIDS cannot detect, include certain types of malicious activity, such as low and slow scans, a slowly propagating worm, unusual activity of a user based on some new pattern of activity. Ideally, such a system should be able to derive a threat level for the network activity that it analyzes, and predict future attacks based on past activity.
Designing and implementing an anomaly detector is the major goal of this project. Data mining has become a very useful technique to reduce information overload and improve decision making by extracting and refining useful knowledge through a process of searching for relationships and patterns from the extensive data collected by organizations. The extracted information is used to predict, classify, model, and summarize the data being mined. In recent years data mining techniques have been successfully used for intrusion detection9.
Data Mining, KDD and Related fields
The term knowledge discovery in databases (KDD) is used to denote the process of extracting useful knowledge from large data sets. Data mining, by contrast, refers to one particular step in
Garcia, M. (2007, June), Using Data Mining To Detect Intrusions In Computer Networks Paper presented at 2007 Annual Conference & Exposition, Honolulu, Hawaii. https://peer.asee.org/1562
ASEE holds the copyright on this document. It may be read by the public free of charge. Authors may archive their work on personal websites or in institutional repositories with the following citation: © 2007 American Society for Engineering Education. Other scholars may excerpt or quote from these materials with the same citation. When excerpting or quoting from Conference Proceedings, authors should, in addition to noting the ASEE copyright, list all the original authors and their institutions and name the host city of the conference. - Last updated April 1, 2015